Excerpts from Modern Bank Heists – Threat Hunting Teams & CIR

Carbon Black recently published a report on the newest threats facing the financial world, and how to counteract them. For more information about how Cb Defense, Carbon Black’s NGAV + EDR solution, helps enterprises address their endpoint security challenges, check out our weekly Cb Defense Live Demo, every Wednesday at 2PM EST, 11AM PST.

Modern Bank Heists

Cyberattacks & Lateral Movements in the Financial Sector

Threat Hunting Teams & Critical Incident Response

Only 37% of financial organizations have established threat hunting teams. Active threat hunting is an important step for organizations with mature security programs. It puts defenders “on the offensive” rather than simply reacting to the deluge of daily alerts.

Threat hunting aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn’t new, for many organizations the very idea of threat hunting is.

The common mindset regarding intrusions is to simply wait until you know they’re there. Typically, though, this approach means that an organization will be waiting an average of 220 days between the intrusion and the first time they hear about it. And even then, it’s typically an external party such as law enforcement or a credit card company that’s telling you.

With threat hunting, defenders are deployed to go out and “find the bad” versus waiting for technology to alert you. Successful threat hunting teams proactively chase down signs that intruders are present or were present in the recent past. They look for anomalies – things that don’t usually happen.

1 in 4 financial institution CISOs reported experiencing counter incident response. This figure is concerning. It means cybercriminals are increasingly reacting and adapting to defenders’ response efforts. Cybercriminals realize there are humans on the other end actively countering their techniques. They realize that teams are, in some cases, instrumented to detect and respond to their activities. They also realize that teams have specific IR playbooks for these types of scenarios.

Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks. These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker, but with counter incident response, attackers maintain the upper hand. This problem is compounded with secondary command and control (C2) present in several victims (1 in 10, according to our survey). We forecast this will become a more prevalent tactical shift in the coming months.

As SOC and IR teams begin to react, attackers are doing a number of things to counter the defenders.

Changing code to evade new technology

Targeting security analysts and engineers in separate but coordinated attacks

Deleting logs from endpoints to hide nefarious behavior

Executing DDoS attacks on applications and systems critical for defenders and/or the business

Cyber defense is evolving into a high-stakes game of digital chess where opponents are responding to every move made on the board. Teams should be prepared to throw out the IR playbook when necessary.

Nearly half (44%) of financial institution CISOs said they are concerned with the security posture of their Technology Service Providers (TSPs). These TSPs are regularly targeted by cybercriminals. As evidenced by the FDIC’s own inspector general: “The FDIC’s oversight process used for identifying, monitoring, and prioritizing TSPs for examination coverage needs improvement.” Island hopping via information supply chains is growing. Our recommendation is for threat hunt teams and defenders to closely assess TSP security posture.

Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs. Cyberspace is fluid and exposure may become systemic.

Listen to our security experts at Carbon Black and Network Security Engineer Christopher St. Amand at PeoplesBank during a recent webinar where we discussed the benefits of cloud-based security platforms and how they apply to your specific needs.

Thanks for joining us as we explored “Modern Bank Heists,” our report on the changing landscape of cybercrime in the financial sector and how to arm your institution against a breach. You can click here to get a copy of the full report. Join us next week as we continue to profile this report.

Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Promoted Content

15-Day Free Trial of NGAV + EDR in the Cloud

Compare Cb Defense to your current solution using real world scenarios, and see how operations transform across your security and IT teams. After you’ve finished the trial, you’ll have everything you need to build a business case and make the switch.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.